Following are three scenarios in which ISA Server and a TS Gateway server can be used together to enhance security for remote connections to internal network resources:

ISA Server as an SSL bridging device (Web proxy). In this scenario, ISA Server is hosted in a perimeter network and provides SSL bridging between the Terminal Services client and the TS Gateway server. The TS Gateway server is hosted in the corporate/private network.

This scenario is illustrated under “Setting up the TS Gateway ISA Server scenario,” in the next section.

ISA Server as a firewall and SSL bridging device. In this scenario, ISA Server functions as a firewall that performs port filtering, packet filtering, and SSL bridging. The TS Gateway server can be hosted in the corporate/private network or in the perimeter network, depending on whether the ISA Server is located as the external firewall or the internal firewall.

ISA Server as a firewall that performs port filtering (server publishing). In this scenario, ISA Server functions as an external packet filtering firewall and permits traffic only over port 443. The TS Gateway server is hosted in the perimeter.

Note

The steps in this setup guide provide detailed configuration information only for the first scenario (ISA Server as a Web proxy). The other two scenarios are mentioned as alternate ways in which ISA Server can be used with TS Gateway to enhance security for remote connections to internal network resources.

System configurations tested for the TS Gateway ISA Server scenario

Microsoft tested the TS Gateway ISA Server scenario by using the following system configurations.

Configuring connections between ISA Server and TS Gateway server

You can configure ISA Server communication with the TS Gateway server in either of the following two ways:

HTTPS-HTTPS bridging: In this configuration, the TS Gateway client initiates an SSL (HTTPS) request to the SSL bridging device. The SSL bridging device initiates a new HTTPS request to the TS Gateway server, for maximum security.

HTTPS-HTTP bridging: In this configuration, the TS Gateway client initiates an SSL (HTTPS) request to the SSL bridging device. The SSL bridging device initiates a new HTTP request to the TS Gateway server.

Setting up the TS Gateway ISA Server scenario

The following diagram illustrates the ISA Server scenario for TS Gateway, in which ISA Server is used as an SSL bridging device.

Note

The steps in this setup guide describe how to set up remote access from a Terminal Services client through a TS Gateway server, where SSL traffic from the client is first sent to the ISA Server, which is used for SSL bridging. The guide does not describe how to install ISA Server 2004 or ISA Server 2006, nor does it describe how to configure the firewalls illustrated in the diagram, the terminal servers running RemoteApp programs (hosting LOB applications), or the perimeter network or Active Directory infrastructure. The diagram is provided to suggest one way in which this scenario might be implemented in a production environment.

1. Export the SSL certificate for the TS Gateway server and copy it to the ISA Server

When you export the certificate, ensure that you export the private key. If this option is not available for the certificate that you have selected, you must obtain a new certificate for ISA Server. For information about ISA Server certificate requirements, see Digital Certificates for ISA Server 2004 (http://go.microsoft.com/fwlink/?LinkId=104827) and Troubleshooting SSL Certificates in ISA Server Publishing (http://go.microsoft.com/fwlink/?LinkId=104826).

Perform the following procedure on the TS Gateway server to export the SSL certificate for the TS Gateway server and copy it to the ISA Server.

To export the SSL certificate for the TS Gateway server and copy it to the ISA Server

On the TS Gateway server, open the Certificates snap-in console. If you have not already added the Certificates snap-in console, you can do so by doing the following:

Click Start, click Run, type mmc, and then click OK.

On the File menu, click Add/Remove Snap-in.

In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.

In the Certificates snap-in dialog box, click Computer account, and then click Next.

In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.

In the Add or Remove snap-ins dialog box, click OK.

In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), expand Personal, and then click Certificates.

Under certificates, click the TS Gateway server certificate. If more than one certificate is listed and you are unsure which certificate to select, view the properties for each certificate to identify the certificate that meets TS Gateway server requirements.

Right-click the TS Gateway certificate to export, point to All Tasks, and then click Export.

On the Welcome to the Certificate Export Wizard page, click Next.

On the Export Private Key page, click Yes, export the private key, and then click Next.

On the Export File Format page, ensure that Personal Information Exchange - PKCS #12 (.PFX) is selected, select the Include all certificates in the certification path if possible check box, and then click Next.

On the Password page, type a password to protect the private key for the certificate, confirm the password, and then click Next.

On the File to Export page, in the File name box, click Browse.

In the Save As dialog box, specify the name of the certificate that you want to export and the location to which you want to export the certificate (ensure that the location can be accessed from the ISA Server), and then click Save.

On the File to Export page, click Next.

On the Completing the Certificate Export Wizard page, confirm that the correct certificate is specified, that Export Keys is set to Yes, and that Include all certificates in the certification path is set to Yes, and then click Finish.

After the certificate export has successfully completed, a message appears confirming that the export was successful. Click OK.

Close the Certificates snap-in.

Copy the certificate to the ISA Server.

2. Install the SSL certificate for the TS Gateway server on the ISA Server

Perform the following procedure on the ISA Server to install the SSL certificate for the TS Gateway server.

To install the SSL certificate for the TS Gateway server on the ISA Server

On the ISA Server, open the Certificates snap-in console. If you have not already added the Certificates snap-in console, you can do so by doing the following:

Click Start, click Run, type mmc, and then click OK.

On the File menu, click Add/Remove Snap-in.

In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.

In the Certificates snap-in dialog box, click Computer account, and then click Next.

In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.

In the Add or Remove snap-ins dialog box, click OK.

In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), and then click Personal.

Right-click the Personal folder, point to All Tasks, and then click Import.

On the Welcome to the Certificate Import Wizard page, click Next.

On the File to Import page, in the File name box, click Browse, and then browse to the location where you copied the SSL certificate for the TS Gateway server. Select the certificate (Certificate_Name.pfx), click Open, and then click Next.

On the Password page, do the following:

If earlier you specified a password for the private key associated with the certificate, type the password.

If you want to mark the private key as exportable, select the Mark this key as exportable check box.

Ensure that the Include all extended properties check box is selected.

Click Next.

On the Certificate Store page, click Automatically select the certificate store based on the type of certificate, and then click Next.

On the Completing the Certificate Import Wizard page, confirm that the correct certificate has been selected and that the following certificate settings appear:

Certificate Store Selected: Automatically determined by the wizard.

Content: PFX

File Name: FilePath\<Certificate_Name.pfx>, where <Certificate_Name> is the name of the TS Gateway server SSL certificate.

Click Finish.

After the certificate import has successfully completed, a message appears confirming that the import was successful. Click OK.

With Certificates selected in the console tree, in the details pane, verify that the correct certificate appears in the list of certificates on the ISA Server. The certificate must be under the Personal store of the local computer.

If you are using a self-signed certificate or another SSL certificate type that is not trusted.

If you did not select the option to download a certificate chain or Automatically select the certificate store based on the type of certificate when you installed the certificate on the ISA Server (as described in the preceding procedure).

To copy and install the TS Gateway server root certificate on the ISA Server

On the ISA Server, open the Certificates snap-in console. If you have not already added the Certificates snap-in console, you can do so by doing the following:

Click Start, click Run, type mmc, and then click OK.

On the File menu, click Add/Remove Snap-in.

In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.

In the Certificates snap-in dialog box, click Computer account, and then click Next.

In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.

In the Add or Remove snap-ins dialog box, click OK.

In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, right-click Certificates, point to All Tasks, and then click Import.

On the Welcome to the Certificate Import Wizard page, click Next.

On the File to Import page, in the File name box, click Browse, and then browse to the location of the TS Gateway server root certificate. Select the root certificate (<Root_Certificate_Name.cer, or, if the private key was also exported, <Root_Certificate_Name.pfx>), click Open, and then click Next.

Note

If you created a self-signed certificate by using the Add Remove Roles Wizard during installation of the TS Gateway role service, or by using TS Gateway Manager after installation (as described in "Create a self-signed certificate for TS Gateway" in Configuring the TS Gateway Core Scenario), note that the self-signed certificate is also the root certificate.

On the Password page, if earlier you specified a password for the private key associated with the certificate, type the password.

On the Certificate Store page, accept the default option (Place all certificates in the following store - Trusted Root Certification Authorities), and then click Next.

On the Completing the Certificate Import Wizard page, confirm that the following certificate settings appear:

File Name: FilePath\<Root_Certificate_Name.cer> (or <Root_Certificate_Name.pfx>), where <Root_Certificate_Name> is the name of the TS Gateway server root certificate.

Click Finish.

After the certificate import has successfully completed, a message appears confirming that the import was successful. Click OK.

With Certificates selected in the console tree, in the details pane, verify that the root certificate of the TS Gateway server appears in the list of certificates on the ISA Server. Ensure that the certificate appears under the Trusted Root Certification Authorities store on the local computer.

4. Create a new Web publishing rule on the ISA Server

To configure the TS Gateway server and ISA Server for HTTPS-HTTP bridging or for HTTPS-HTTPS bridging, you must create the appropriate Web publishing rule on the ISA Server.

Important

The steps for creating a Web publishing rule for ISA Server will vary, based on whether you are using ISA Server 2004 or ISA Server 2006. Ensure that you follow the steps that correspond to the version of ISA Server that you are using.

Create a new Web publishing rule for ISA Server 2004

Use the following procedure to create a new Web publishing rule for ISA Server 2004.

To create a new Web publishing rule for ISA Server 2004

On the ISA Server, open ISA Server Management. To open ISA Server Management, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

On the Welcome to the SSL Publishing Rule Wizard page, in the SSL Web Publishing Rule Name box, type a name for the new server publishing rule, and then click Next.

On the Publishing Mode page, click SSL Bridging, and then click Next.

On the Select Rule Action page, click Allow, and then click Next.

On the Bridging Mode page, do one of the following:

To enable HTTPS-HTTP bridging, click Secure connections to clients, and then click Next.

To enable HTTPS-HTTPS bridging, click Secure connection to clients and Web server, and then click Next.

On the Define Website to Publish page, do the following:

In the Computer name or IP address box, type the name of the TS Gateway server. The specified name must match the name of the TS Gateway server through which users will connect in this scenario. This name must also match the certificate name (CN) in the certificate that is installed on the TS Gateway server.

Select the Forward the original host header instead of the actual one (specified above) check box.

In the Path box, type /\*.

On the Public Name Details page, do the following:

In Accept requests for, ensure that This domain name is selected.

In the Public name box, type the name of the TS Gateway server. The specified name must match the name of the TS Gateway server through which users will connect in this scenario.

In the Path box, type /\*.

Click Next.

If required, create a new SSL Web listener. If you have a pre-existing listener with a certificate that matches the public name, you do not need to create a new SSL Web listener. In this case, select the appropriate Web listener, click Next, and then proceed to Step 11.

If you do need to create a new SSL Web listener, do the following:

On the Welcome to the New Web Listener page, in the Web Listener Name box, type a name for the Web listener, and then click Next. If Web listeners have already been configured for the ISA Server, on the Select Web Listener page, click New to open the Welcome to the New Web Listener page and begin specifying a new Web listener.

On the IP Addresses page, under Listen for requests from these networks, select the External check box, and then click Next.

On the Port Specification page, do the following:

Under SSL, select the Enable SSL check box, and then clear the Enable HTTP box.

Click Select, and in the Select Certificate dialog box, click the certificate that you want to use.

Note

ISA Server 2004 cannot process certificate Subject Alternative Name (SAN) attributes. The Subject of the certificate installed at the published server must match the published host name used in the Web Publishing rule.

6. Click **OK** to close the **Select Certificate** dialog box, and then click **Next**.
7. On the **Completing the New Web Listener Wizard** page, click **Finish**.

On the Select Web Listener page, confirm that the correct Web listener properties appear, and then click Next.

On the User Sets page, click All Users, and then click Next.

On the Completing the New SSL Web Publishing Rule Wizard page, click Finish.

To save the changes and update the ISA Server firewall policy, in the details pane of the ISA Server Management console, click Apply.

In the Apply New Configuration dialog box, click OK after the changes are applied (a progress bar appears while the changes are being applied).

Use the following procedure to create a new Web publishing rule for ISA Server 2006 or ISA Server 2006 Service Pack 1 (SP1).

To create a new Web publishing rule for ISA Server 2006 or ISA Server 2006 SP1

On the ISA Server, open ISA Server Management. To open ISA Server Management, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

In the console tree, expand the ISA Server name. (If you are using ISA Server 2006 SP1 Enterprise Edition, expand Arrays, and then expand the ISA Server name.)

Click Firewall Policy.

On the Tasks tab, click Publish Web Sites.

On the Welcome to the New Web Publishing Rule Wizard page, in the Web publishing rule name box, type a name for the new publishing rule, and then click Next.

On the Select Rule Action page, click Allow, and then click Next.

On the Publishing Type page, ensure that Publish a single Web site or load balancer is selected, and then click Next.

On the Server Connection Security page, select Use SSL to connect to the published Web server or server farm, and then click Next.

On the Internal Publishing details page, in the Internal site name box, type the name of the TS Gateway server, and then click Next.

If the ISA Server cannot resolve the name of the TS Gateway server, type the IP address of the TS Gateway server. Alternatively you can include this information in the Hosts file.

On the second instance of the Internal Publishing Details page, do the following:

Ensure that the Path box is empty.

Ensure that the Forward the original host header instead of the actual one specified in the Internal site name field on the previous page check box is cleared.

Click Next.

On the Public Name Details page, do the following:

In Accept requests for, ensure that This domain name (type below) is selected.

In the Public name box, type the name of the TS Gateway server. The specified name must match the name of the TS Gateway server through which users will connect in this scenario. This name must also match the certificate name (CN) or the Subject Alternative Name (SAN) in the certificate that is installed on the TS Gateway server.

Note

If you are using the Subject Alternative Name (SAN) attributes of certificates, clients that connect to the TS Gateway server must be running RDC 6.1. RDC 6.1 is available with Windows Server 2008, Windows Vista with SP1, and Windows XP with SP3. The RDC 6.1 (6.0.6001) client supports Remote Desktop Protocol 6.1.

3. Ensure that the **Path** box is empty.
4. Click **Next**.

If required, create a new SSL Web listener. If you have a pre-existing listener with a certificate that matches the public name, you do not need to create a new SSL Web listener. In this case, select the appropriate Web listener, click Next, and then proceed to Step 13.

If you do need to create a new SSL Web listener, do the following:

On the Select Web Listener page, click New.

On the Welcome to the New Web Listener Wizard page, in the Web Listener Name box, type a name for the Web listener, and then click Next.

Under Listen for incoming Web requests from these networks, select the External check box.

Ensure that The ISA Server will compress content sent to clients through this Web Listener if the clients requesting the content support compression check box is selected.

Click Select IP Addresses.

On the External Listener IP Selection page, do the following:

Click Specified IP addresses on the ISA Server in the selected Network. Under Available IP addresses, select the appropriate IP address, click Add, and then click OK.

Click Next.

On the Listener SSL Certificates page, click Assign a certificate for each IP address, click the appropriate IP address, and then click Select Certificate.

On the Select Certificate page, under Select certificate, click the TS Gateway server certificate, click Select, and then click Next.

Note

ISA Server 2006 is able to use either the Subject or the first Subject Alternative Name (SAN) entry. For example, if ISA Server is expecting the certificate to read “contoso.com,” the name should be in one of the following formats:

The certificate “Subject” (AKA “common name”)

Or

The first entry in the Subject Alternative Name (SAN) list (ISA Server 2006 only)

These restrictions do not impact ISA Server 2006 SP1.

13. On the **Authentication Settings** page, click **No Authentication**, and then click **Next**.
1. If ISA Server is a member of a domain and:
- Client authenticates by using only a password:
1. On the **Authentication Settings** page, click **No Authentication**, and then click **Next**.
2. On the **Single Sign On Settings** page, click **Next**.
- Client authenticates by using only a smart card:
1. On the **Authentication Settings** page, click **SSL Client Certificate Authentication** or **No Authentication**, and then click **Next**.
2. On the **Single Sign On Settings** page, click **Next**.

Note

If both password and smart card authentication are allowed on the TS Gateway server, Authentication setting SSL Client Certificate Authentication must be set to No Authentication.

2. If ISA Server is in a workgroup and the client authenticates by using either a password or smart card or both:
1. On the **Authentication Settings** page, click **No Authentication**, and then click **Next**.
2. On the **Single Sign On Settings** page, click **Next**.
14. On the **Completing the New Web Listener Wizard** page, click **Finish**.
15. On the second instance of the **Completing the NewWeb Listener Wizard** page, confirm that the correct Web listener properties appear, and then click **Finish**.

On the Select Web Listener page, confirm that the appropriate Web listener is selected, and then click Next.

On the Authentication Delegation page, click No delegation, but client may authenticate directly, and then click Next.

Important

Selecting the incorrect Authentication Delegation option will cause clients to be unable to connect to the TS Gateway server. Clients will receive a continuous credential prompt indicating that the logon failed.

On the User Sets page:

If Authentication Settings in SSL Web listener is set to No Authentication, verify that All Users is selected, and then click Next.

If Authentication Settings in SSL Web listener is set to SSL Client Certificate Authentication, verify that All Authenticated Users is selected, and then click Next.

On the Completing the New Web Site Publishing Rule Wizard page, click Finish.

To save the changes and update the ISA Server firewall policy, in the details pane of the ISA Server Management console, click Apply.

In the Apply New Configuration dialog box, click OK after the changes are applied (a progress bar appears while the changes are being applied).

5. Configuring SSL Bridging

SSL bridging is the termination or initiation of an SSL connection by the ISA Server. The ISA Server processes the HTTPS request for the client and then forwards the request to a Web server by using HTTP or HTTPS. See the diagram under “Setting up the TS Gateway ISA Server scenario” for an illustration.

HTTPS-HTTPS

When you select this mode, ISA Server establishes a secure HTTPS connection with the client, and then forwards the request as secure HTTPS to the published Web server.

Configuring the ISA Server for the HTTPS-HTTPS scenario:

Double-click the Web publishing rule created in step 4, “Create a new Web publishing rule on the ISA Server.”

On the Bridging tab, verify the following options:

Redirect requests to SSL port: Selected

Port Number: 443

Redirect requests to HTTP port: Not Selected

Configuring the TS Gateway server for the HTTPS-HTTPS scenario:

Open the SSL bridging tab on the TS Gateway server.

Verify that Use HTTPS-HTTP bridging is not selected.

HTTPS-HTTP

When you select this mode, ISA Server establishes a secure HTTPS connection with the client, and then forwards the request as standard HTTP to the published Web server.

Configuring the ISA Server for the HTTPS-HTTP scenario:

Double-click the Web publishing rule created in step 4, “Create a new Web publishing rule on the ISA Server.”

On the Bridging tab, verify the following options:

Redirect requests to SSL port: Not Selected

Redirect requests to HTTP port: Selected

Configuring the TS Gateway server for the HTTPS-HTTP scenario:

Open the SSL bridging tab on the TS Gateway server.

Verify that Use HTTPS-HTTP bridging is selected.

Important

Authentication by using a smart card only works if HTTPS-HTTP bridging has been enabled on the TS Gateway server.

6. Verify client configuration and test end-to-end connectivity

Terminal Services clients that connect through the ISA Server to the TS Gateway server can be located in the external network range of the ISA Server. Web publication can also be configured for the internal network. Doing this allows you to use a single namespace for the TS Gateway server and ensure that Terminal Services clients must connect through ISA Server before connecting to the TS Gateway server.

In a typical deployment, the TS Gateway server address and the IP address of the ISA Server will be published in DNS. As a result, clients will resolve the TS Gateway server address to the ISA Server. The secure Web publishing rule that you create for the ISA Server ensures that all incoming requests to the TS Gateway server from the external network will be forwarded to the TS Gateway server, which is located in the internal network.

If you cannot publish entries to DNS, for testing purposes, you can add an entry to the Hosts file of the client that maps the TS Gateway server address to the IP address of the ISA Server. The Hosts file on the client is located at %windir%\system32\drivers\etc\hosts.

Note

You can verify that the ISA Server for the TS Gateway server has been properly configured by opening a Web browser to the following address: https://<TS_Gateway_Server_FQDN>. The default IIS welcome page should display without any certificate errors if connectivity between the ISA Server and the TS Gateway server has been properly configured.

Troubleshooting Tips

The following resources provide information about testing and troubleshooting RPC over HTTP through ISA Server:

Client symptoms: The RDC Client is unable to connect and continuous credential prompts are displayed to the user.

The ISA Server logs will indicate a denied connection with status that the specified URL was denied. On ISA Server 2006 SP1 in the rule properties window, you can click Test Rule, and the error An unexpected response was received from the server. HTTP response: 404 not found. is displayed.

Resolution: Use the ISA Server manager to select the rule that you created in step 4, “Create a new Web publishing rule on the ISA Server.” Right-click the rule, click Properties, and then verify the following settings:

Listener on the Gateway publishing rule: Verify that there is no warning on this page The selected web listener is not configured with certificates matching one or more of the public names defined in this rule, and that the public name of the TS Gateway server matches the certificate name.

Authentication delegation on the Gateway publishing rule: No delegation, but client may authenticate directly

Paths on the Gateway publishing rule: /\*

Client symptoms: Clients receive an error that the TS Gateway server is unreachable. The ISA Server logs indicate failed connection attempt with error code 0x80090332. On ISA Server 2006 SP1, in the rule properties window, you can click Test Rule, and the error Name resolution error is displayed.

Resolution: Use the ISA Server manager to select the rule that you created in step 4, “Create a new Web publishing rule on the ISA Server.” Right-click the rule, and then click Properties. On the To tab, verify that the This rule applies to the published site site is reachable from the ISA Server.

Client symptoms: Clients receive a timeout error for the connection with the TS Gateway server. The ISA Server logs indicate connected party failed to respond properly or within specific time. On ISA Server 2006 SP1, in the rule properties window, you can click Test Rule, and the error 10060 is displayed.

Resolution: Use the ISA Server manager to select the rule that you created in step 4, “Create a new Web publishing rule on the ISA Server.” Right-click the rule, and then click Properties. On the Bridging tab, verify that the Web server ports are set as follows:

Redirect requests to HTTP port: 80

Redirect requests to SSL port: 443

After performing the appropriate troubleshooting tips, ensure that the client is correctly configured as a TS Gateway client as described in "Steps for configuring a Terminal Services client for the TS Gateway core scenario" in Configuring the TS Gateway Core Scenario. To ensure that connectivity is successful in this scenario, follow the steps in "Verify that end-to-end connectivity through TS Gateway is functioning correctly" in Configuring the TS Gateway Core Scenario.

Additional references

The following resources provide information about testing and troubleshooting RPC over HTTP through ISA Server: